ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam
Go to Exam

Exam CS0-002 topic 1 question 27 discussion

Actual exam question from CompTIA's CS0-002
Question #: 27
Topic #: 1
[All CS0-002 Questions]

HOTSPOT -
A security analyst suspects that a workstation may be beaconing to a command and control server.
Inspect the logs from the company's web proxy server and the firewall to determine the best course of action to take in order to neutralize the threat with minimum impact to the organization.

INSTRUCTIONS -
Modify the Firewall Access Control rule to mitigate the issue.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.



Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by twobuckchuck at Aug. 31, 2022, 9:53 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TheSkyMan
Highly Voted 2 years, 9 months ago
With internal computers beaconing to C2 servers, many times you'll see a trend of traffic calling out at set intervals. In this case 192.168.1.6 is beaconing out to 2.63.25.201 (bqtest2.ru) every 5 seconds. Since we have a proxy server (192.168.1.10), we need to deny the proxy servers IP. Action = DENY | Protocol = TCP | Source IP = 192.168.1.10 | Source Port = ANY | 2.63.25.201 | Dest Port = 80 Side note: I would block all traffic (ANY) to the destination port too, but that's not an option on this question.
upvoted 63 times
AaronS1990
2 years, 5 months ago
It's also beaconing out to malware.com on port 443 though...
upvoted 2 times
justauser
2 years ago
Seems like a red herring, obviously with only 1 rule to provide, it should be what TheSkyMan said.
upvoted 3 times
...
...
Mr_BuCk3th34D
2 years, 6 months ago
I agree 100%
upvoted 2 times
...
2Fish
2 years, 3 months ago
Agree. Thanks for the break down.
upvoted 2 times
...
attesco
1 year, 11 months ago
Good explanation
upvoted 2 times
...
Load full discussion...
...
CyberNoob404
Highly Voted 2 years, 5 months ago
DENY | TCP | 192.168.1.10 | ANY | 2.63.25.201 | 80
upvoted 12 times
...
RT7
Most Recent 1 year, 8 months ago
Is the correct answer: Source Port-51987, DST IP:101.23.45.78, DST Port:443?
upvoted 1 times
...
Big_Dre
1 year, 9 months ago
what about Action = DENY | Protocol = TCP | Source IP = 192.168.1.10 | Source Port = ANY | 2.63.25.201 | Dest Port = 8080 destination port should be 8080 and not 80 since the beaconing will be done over the proxy and we know the default port is 8080?
upvoted 1 times
...
rg00
1 year, 11 months ago
DENY, TCP, 192.168.1.10, ANY, 2.63.25.201, 80 Notice that the source port is inconsistent on logs. Therefore, Source Port should be any.
upvoted 2 times
...
SimonR2
1 year, 11 months ago
If there was no firewall in the path of the proxy server to the internet and no address translation was done, it would be: DENY > TCP > 192.168.1.6 > ANY > 2.63.25.201 > ANY However, since we are natting the source ip to that of the proxy server (this caught me out), the actual answer would be: DENY > TCP > 192.168.1.10 > ANY > 2.63.25.201 > ANY Ideally in the real world we would use the following rule, but this isnt an option: DENY > ANY > ANY > ANY > 2.63.25.201 > ANY
upvoted 1 times
SimonR2
1 year, 11 months ago
Sorry, for the actual destination port answer it should be 80*
upvoted 2 times
...
...
kiduuu
2 years, 2 months ago
DENY | TCP | 192.168.1.6 | 51987 | 101.23.45.78 | 443
upvoted 1 times
...
[Removed]
2 years, 3 months ago
DENY | TCP | 192.168.1.10 | ANY | 2.63.25.201 | 80
upvoted 5 times
...
ChrisRM
2 years, 4 months ago
MailClient.exe 7 Clicked 4 infected .134 x .254 x .9 x .70 x .188 x .24 x .132 x 4 Logons: cpuziss/ jlee/ asmith/ kmathews (IP's matched those who clicked on the mailclient.exe link)
upvoted 1 times
ChrisRM
2 years, 4 months ago
Wrong post sorry guys
upvoted 3 times
...
...
msellars
2 years, 7 months ago
Found this from an earlier study guide CSO-001. They have Dent -> TCP -> 192.168.1.6 ->ANY -> 2.63.25.201 ->80. Although the FW will only recognize the next hop which would be the proxy server, so replace .6 with .10.
upvoted 3 times
...
david124
2 years, 7 months ago
Action = DENY | Protocol = TCP | Source IP = 192.168.1.10 | Source Port = ANY | 2.63.25.201 | Dest Port = 80
upvoted 3 times
...
A_core
2 years, 8 months ago
A=Deny | Protocol = TCP | SIP=192.168.1.6 Sport=Any DIP=2.63.25.201 Dport=80
upvoted 2 times
CW4901
2 years, 8 months ago
Have you taken the exam yet? If so, did you stick with this answer?
upvoted 1 times
...
...
bigerblue2002
2 years, 9 months ago
Looks like DENY TCP .10 ANY 2.63.25.201 80. The given answer only shows up once, would that really be beaconing?
upvoted 4 times
...
fablus78
2 years, 10 months ago
Wrong, the beaconing destination address is 2.63.25.101 , so this is the address to block on all ports
upvoted 7 times
...
twobuckchuck
2 years, 10 months ago
I agree with the answer but wouldn't it be smart to block any service port. Not just 51987
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel